aws-public-connectivity.sh

iid=i-04XXXXXXXXXXXXX4f
# find security group of instance
securitygroups=`aws --profile dev ec2 describe-instances --region us-east-2 --instance-id $iid --query Reservations[*].Instances[*].SecurityGroups[*][GroupId] --output text`
# see open rules ( there's usually not many )
aws --profile dev --region us-east-2 ec2 describe-security-groups --group-ids $securitygroups --query '*[*][GroupId,IpPermissions[?FromPort!=null].[FromPort,ToPort,IpRanges[*].CidrIp]]' --output text
# find subnet 
subnet=`aws --profile dev ec2 describe-instances --region us-east-2 --instance-id $iid --query Reservations[*].Instances[*][SubnetId] --output text`
# now check default route.  If it's through an IGW, we should be good!
aws ec2 --region us-east-2 --profile dev describe-route-tables --filters Name=association.subnet-id,Values=$subnet --query RouteTables[*].Routes[?DestinationCidrBlock=='`0.0.0.0/0`']
# get it's public IP
aws --profile dev ec2 describe-instances --region us-east-2 --instance-id $iid --query Reservations[*].Instances[*].PublicIpAddress --output text

#And you're good to go!

How to discover whether iid in an EC2 subnet is actually able to hold a public IP